Data Privacy Framework (DPF) Lawyer

Helping Clients Navigate The

Dynamic Area Of The DPF For EU-U.S. Data Transfers

---

The EU-US Data Privacy Framework (DPF) is the latest development in a saga that has spanned decades, aimed at reconciling and streamlining cross-border data transfers from the European Union (EU) to the United States (US), as well as the relevant Swiss DPF and UK Extension. The storied history of data transfer mechanisms and their invalidation, ranging from the Safe Harbor to the Privacy Shield, including the role of Max Schrems’ NGO, NYOB, and the eponymous Schrems II decision, has caused much turmoil and resource expenditure among many organizations.

The DPF is an adequacy decision that concludes that the US provides a “level of protection essentially equivalent” to that of the EU for personal data transferred to certified organizations in the US. Underpinning the DPF are several principles that organizations must adhere to in order to attain and maintain certification, including notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access and recourse, enforcement, and liability. Further, redress also plays a leading role under the DPF. Specifically, redress aims to ensure that US intelligence activities are “necessary and proportionate in the pursuit of defined national security objectives.” As part of this, establishing an adjudicating function called the Data Protection Review Court (DPRC) will allow residents of the EU to initiate a process whereby the DPRC may instruct the relevant intelligence agencies to take remedial actions. In line with the redress process, the European Data Protection Board (EDPB) has published procedural rules regarding how complaints are to be handled under the redress system, including the Rules of Procedure, the Information Note, and the Complaint Template.

With so many previous iterations of data transfer mechanisms invalidated and further challenges on the horizon, including comments made by Schrem in March 2025 about strategies to cause such invalidation, the DPF’s future remains uncertain. There are encouraging signs that the DPF is here to stay for now, with the European Commission publishing its first review of the adequacy decision after its first year in force.

RICHT is at the forefront of this dynamic area, focusing on helping clients stay ahead of the ever-evolving privacy regulatory landscape, including international data transfers and the DPF.

---

Data Privacy Framework (DPF) Law Services We Offer

---

---

“Transatlantic data flows are critical to enabling the $7.1
trillion EU-U.S. economic relationship. The EU-U.S. DPF
will restore an important legal basis for transatlantic data
flows by addressing concerns that the Court of Justice of
the European Union raised in striking down the prior EUU.S. Privacy Shield framework as a valid data transfer mechanism under EU law.”

Source: Executive Order to Implement the European Union-U.S. Data Privacy Framework

---

Resources

---

• What the PCLOB Firings Mean for the EU-US Data Privacy Framework
• International: UK-US data bridge, an extension to the EU-US DPF
• Webinar – The Finalization of the UK-U.S. Data Bridge

---